On January 27, 2023, California Attorney General Rob Bonta announced an « investigative inquiry » into mobile apps for failing to honor consumer opt-out requests to stop selling their data under the California Consumer Privacy Act (CCPA).
In effect, the California Attorney General has called on mobile app developers to comply with state privacy laws and consumer opt-out requests, in which case they will have to stand ready to face heavy charges.
Rob Bonta maintains a list of enforcement actions taken against companies that are not in compliance with the California Consumer Privacy Protection Act (CCPA).
As part of the state’s latest compliance audit, the attorney general sent letters to companies with mobile apps that allegedly ignored consumer opt-out requests or sold user data, despite the CCPA, which prohibits such sales of personal information, among other things.
This year’s operation, which focuses on retail, travel, and restaurant apps, also targets companies that failed to process consumer requests submitted by an authorized agent.
One of those authorized agents is Consumer Report’s Permission Slip mobile app, which allows consumers to submit requests to opt out and delete their personal information.
« We are thrilled to see the Attorney General’s office holding companies accountable to privacy laws that protect consumers. (…) People often struggle to use their privacy rights, and registering an agent can help streamline the process. This is a win for consumers and for the privacy of their data, » said Ginny Fahs, director of research and product development, at Consumer Reports Innovation Lab.
The CCPA requires companies that receive one of these requests to remove the requester’s information from their systems and stop collecting it for future retention.
Last year, the investigation resulted in a $1.2 million fine against global retailer Sephora. It also showed that Bonta had a broad definition of « selling » consumer data and was willing to aggressively pursue companies that the state said were not following the rules.
This year, Bonta has another tool at his disposal: the California Privacy Rights Act (CPRA), which is essentially an amendment to the CCPA requiring companies not to « share » consumers’ personal information with third parties. The CPRA became operational in January, and enforcement will begin later this year.
« In California, consumers have the right to prevent the sale of their personal information, and my office is working tirelessly to ensure that companies recognize and address consumer opt-out requests, » Bonta said in a statement.
